Ethereal-users: RE: [Ethereal-users] Find Frame / Filtering

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Evers, John E." <JEVERS@xxxxxxx>
Date: Tue, 27 Aug 2002 11:43:09 -0500
Martin,


I am still having issues finding anything in the hex data payload field, I
have tried the following to find "This" at offset C4 file data, highlighted
in yellow.  I really need to find values in the file data without knowing
the offset in the file data field, but in some cases I also look for
something I know the offset of.  One other solution is to print out the data
to a file and use some other program for the search, but try opening a 500MN
with MS word pad or note pad.

Filter and Find Frame  ( I also enclosed the hex values in "" to see if that
was the secret)

smb [c4:c7] == 54:68:69:73
tcp [c4:c7] == 54:68:69:73
ip [c4:c7] == 54:68:69:73
data [c4:c7] == 54:68:69:73

Frame 12 (1514 on wire, 1514 captured)
    Arrival Time: Aug 26, 2002 16:21:09.215750000
    Time delta from previous packet: 0.001852000 seconds
    Time relative to first packet: 0.476325000 seconds
    Frame Number: 12
    Packet Length: 1514 bytes
    Capture Length: 1514 bytes
Ethernet II
    Destination: 00:c0:4f:9b:a0:ba (TASKSERVER10)
    Source: 00:90:27:78:ad:ff (Intel_78:ad:ff)
    Type: IP (0x0800)
Internet Protocol, Src Addr: dell6300_sql2.lab.ncs.winternet.com
(192.168.100.114), Dst Addr: TASKSERVER10 (192.168.100.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1500
    Identification: 0xd04c
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xdb01 (correct)
    Source: dell6300_sql2.lab.ncs.winternet.com (192.168.100.114)
    Destination: TASKSERVER10 (192.168.100.10)
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 1960
(1960), Seq: 177780446, Ack: 1629002547, Len: 1460
    Source port: microsoft-ds (445)
    Destination port: 1960 (1960)
    Sequence number: 177780446
    Next sequence number: 177781906
    Acknowledgement number: 1629002547
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16805
    Checksum: 0xdb4c (correct)
NetBIOS Session Service
    Message Type: Session message
    Length: 4156
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        Response to: 11
        SMB Command: Read AndX (0x2e)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x98
            1... .... = Request/Response: Message is a response to the
client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been
posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
supported
        Flags2: 0xe807
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error
codes
            ..1. .... .... .... = Execute-only Reads: Permit reads if
execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended
security negotiation is supported
            .... .... .0.. .... = Long Names Used: Path names in request are
not long file names
            .... .... .... .1.. = Security Signatures: Security signatures
are supported
            .... .... .... ..1. = Extended Attributes: Extended attributes
are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are
allowed in the response
        Reserved: 000000000000000000000000
        Tree ID: 2049
        Process ID: 65279
        User ID: 2049
        Multiplex ID: 59267
    Read AndX Response (0x2e)
        Word Count (WCT): 12
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        FID: 0xc02a
        Remaining: 65535
        Data Compaction Mode: 0
        Reserved: 0000
        Data Length: 4096
        Data Offset: 60
        Reserved: 00000000000000000000
        Byte Count (BCC): 4097
        Padding: 01
        File Data: Incomplete. Only 1396 of 4096 bytes

0000  00 c0 4f 9b a0 ba 00 90 27 78 ad ff 08 00 45 00   ..O.....'x....E.
0010  05 dc d0 4c 40 00 80 06 db 01 c0 a8 64 72 c0 a8   ...L@xxxxxxxxx..
0020  64 0a 01 bd 07 a8 0a 98 b6 de 61 18 9b 33 50 10   d.........a..3P.
0030  41 a5 db 4c 00 00 00 00 10 3c ff 53 4d 42 2e 00   A..L.....<.SMB..
0040  00 00 00 98 07 e8 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 01 08 ff fe 01 08 83 e7 0c ff 00 00 00 ff   ................
0060  ff 00 00 00 00 00 10 3c 00 00 00 00 00 00 00 00   .......<........
0070  00 00 00 01 10 01 4d 5a 90 00 03 00 00 00 04 00   ......MZ........
0080  00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00   ..............@.
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8   ..............!.
00c0  01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d   .L.!This program
00d0  20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69    cannot be run i
00e0  6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00   n DOS mode....$.
00f0  00 00 00 00 00 00 72 0e bb b5 36 6f d5 e6 36 6f   ......r...6o..6o
0100  d5 e6 36 6f d5 e6 68 4d de e6 35 6f d5 e6 4d 73   ..6o..hM..5o..Ms
0110  d9 e6 3a 6f d5 e6 b5 73 db e6 18 6f d5 e6 59 70   ..:o...s...o..Yp
0120  df e6 bf 6f d5 e6 59 70 de e6 3c 6f d5 e6 36 6f   ...o..Yp..<o..6o
0130  d5 e6 24 6f d5 e6 60 70 c6 e6 3a 6f d5 e6 36 6f   ..$o..`p..:o..6o
0140  d4 e6 b8 6e d5 e6 54 70 c6 e6 23 6f d5 e6 30 4c   ...n..Tp..#o..0L
0150  de e6 3f 6f d5 e6 30 4c df e6 2a 6e d5 e6 f1 69   ..?o..0L..*n...i
0160  d3 e6 37 6f d5 e6 52 69 63 68 36 6f d5 e6 00 00   ..7o..Rich6o....
0170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0180  00 00 00 00 00 00 50 45 00 00 4c 01 06 00 33 c3   ......PE..L...3.
0190  f7 3c 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01   .<..............
01a0  06 00 00 90 3f 00 00 b0 30 00 00 00 00 00 46 b0   ....?...0.....F.
01b0  3e 00 00 10 00 00 00 a0 3f 00 00 00 40 00 00 10   >.......?...@...
01c0  00 00 00 10 00 00 04 00 00 00 04 00 00 00 04 00   ................
01d0  00 00 00 00 00 00 00 50 70 00 00 10 00 00 00 00   .......Pp.......
01e0  00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00   ................
01f0  10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00   ................
0200  00 00 00 00 00 00 00 c0 42 00 04 01 00 00 00 00   ........B.......
0210  43 00 13 dc 2b 00 00 00 00 00 00 00 00 00 00 00   C...+...........
0220  00 00 00 00 00 00 00 e0 6e 00 14 21 01 00 00 00   ........n..!....
0230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cb   ................
0260  42 00 e8 09 00 00 00 00 00 00 00 00 00 00 00 00   B...............
0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74   ...............t
0280  65 78 74 00 00 00 82 82 3f 00 00 10 00 00 00 90   ext.....?.......
0290  3f 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00   ?...............
02a0  00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e8 20   .. ..`.rdata... 
02b0  00 00 00 a0 3f 00 00 30 00 00 00 a0 3f 00 00 00   ....?..0....?...
02c0  00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64   ..........@..@.d
02d0  61 74 61 00 00 00 f0 e7 02 00 00 d0 3f 00 00 40   ata.........?..@
02e0  02 00 00 d0 3f 00 00 00 00 00 00 00 00 00 00 00   ....?...........
02f0  00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ad 32   ..@....idata...2
0300  00 00 00 c0 42 00 00 40 00 00 00 10 42 00 00 00   ....B..@....B...
0310  00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72   ..........@....r
0320  73 72 63 00 00 00 13 dc 2b 00 00 00 43 00 00 e0   src.....+...C...
0330  2b 00 00 50 42 00 00 00 00 00 00 00 00 00 00 00   +..PB...........
0340  00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 6b   ..@..@.reloc...k
0350  01 00 00 e0 6e 00 00 70 01 00 00 30 6e 00 00 00   ....n..p...0n...
0360  00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00   ..........@..B..
0370  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
03f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0400  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0410  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0480  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0490  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
04f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0500  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0510  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0520  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0530  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0540  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0550  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0560  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0570  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0580  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0590  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
05a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
05b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
05c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
05d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
05e0  00 00 00 00 00 00 00 00 00 00                     ..........

Thanks

John

		-----Original Message-----
		From:	Visser, Martin (Sydney)
[mailto:Martin.Visser@xxxxxx]
		Sent:	Monday, August 26, 2002 6:21 PM
		To:	ethereal-users@xxxxxxxxxxxx
		Cc:	Evers, John E.
		Subject:	RE: [Ethereal-users] Find Frame / Filtering

		You're right, there is something broken (at least in 0.9.3
on win32).
		However there is a workaround that may work for you. 
		For the bug fixers the following two examples DO match
packets correctly
		:-

		ipx[0:2] == "ff:ff"
		ipx[0:8] == "ff:ff:00:72:03:11:0a:8f"
		ipx[0] == "ff" && ipx [1] == "ff"

		But the following DON'T match

		ipx[0:] == "ff:ff"
		ipx[0:1] == "ff:ff"
		ipx[0:42] == "ff:ff"


		It seems that an open ended range or a range that doesn't
exactly match
		the number of bytes in the match string doesn't work.

		-----Original Message-----
		From: Evers, John E. [mailto:JEVERS@xxxxxxx] 
		Sent: Tuesday, 27 August 2002 7:44 AM
		To: ethereal-users@xxxxxxxxxxxx
		Subject: [Ethereal-users] Find Frame / Filtering


		Hi,

		I do a lot of tracing which requires searching / filtering
on the data
		stream.

		I have tried the "Find Frame" and "Filtering" options with
the following
		parameters.  

		smb[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		ip[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex data
stream from
		the
		hex data of a trace.
		tcp[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.
		data[0:] == 43:00:6f:00:6d:00:6d:00:    ;I copied the hex
data stream
		from
		the hex data of a trace.

		I've have also tried to search for hex streams that were not
separated
		by the 00 hex characters as in the above example, same
results.


		Applying as a Filter displays no results and Find Frame
responds with a
		"No Packet Matched Filter" message.  

		I am guessing Ethereal dose not support this, but as it is
important to
		me I want to make sure before I abandon it for this
application.

		Thanks for any feed back.

		John


	
************************************************************************
		**** 
		This email may contain confidential material. 
		If you were not an intended recipient, 
		Please notify the sender and delete all copies. 
		We may monitor email to and from our network. 
	
************************************************************************
		****
		_______________________________________________
		Ethereal-users mailing list
		Ethereal-users@xxxxxxxxxxxx
		http://www.ethereal.com/mailman/listinfo/ethereal-users

**************************************************************************** 
This email may contain confidential material. 
If you were not an intended recipient, 
Please notify the sender and delete all copies. 
We may monitor email to and from our network. 
****************************************************************************